WIXLIB

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCEUsing open-source software can present similar risks,as the Log4j vulnerability demonstrated in December2021 and beyond. To prevent more Log4j-type supplychain issues in the future, Council members encouragesecurity practitioners to provide more feedback to theopen-source community in a consistent and systematicway. They specifically recommend that application securityresources devote some of their time to looking at opensource code and reporting potential vulnerabilities. MikeOrosz, vice president of information and product securityat Vertiv, suggests that it may be time for the platformshosting open-source code to create terms and conditionsthat state that in exchange for using their software forfree, users agree to report back on any vulnerabilities theyfind, along with potential solutions.15SPONSORED BYAlex Schuchman, CISO for Colgate-Palmolive Company,recommends using tools that validate open sourcelibraries, check for vulnerabilities and dependencies, andprovide curated repositories from which to pull code.Some tools that perform those activities include NodeSecurity Project, Gemnasium, Source Clear, Protecode andSonatype.

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCE2PRINCIPLEUNDERSTAND THE THREATDefend Forward security strategies hinge on organizationshaving a keen understanding of the attackers most likelyto target them, the reasons those attackers would want tocompromise them, and the methods they’d be most apt to use,including the network security, application security, and supplychain security weaknesses they could exploit. Since adversarieshave so many vulnerabilities at their disposal, prioritizingvulnerabilities becomes an extremely important component ofproactive defense.Council members note that participating in classified governmentthreat intelligence programs can give organizations visibility intothreats and threat actors they wouldn’t otherwise get. Althoughorganizations would need to put certain policies and controls inplace to obtain the security clearances required to participatein those programs, taking such steps is increasingly necessary,especially for organizations operating in critical infrastructuresectors, as those sectors face heightened threats from nationstate actors.16SPONSORED BYBy understanding howour adversaries aretrying to target us, wecan be more focusedin our defense insteadof trying to protect allthings equally.RICARDO LAFOSSECISO OF THE KRAFT HEINZ COMPANY

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCE317PRINCIPLEINTELLIGENCE SHARING AND COLLABORATIONCouncil members agree that collaboration andintelligence sharing across industries and withthe federal government, CSIRTs, and academicinstitutions is critical to understanding andproactively addressing threats. The drawback:information sharing remains fraught withchallenges. Some of the biggest barriers includeprotecting confidentiality, especially in smallermarkets like Korea and Malaysia, and building andmaintaining trust.Building trust–both within and across industries, andbetween the public and private sectors–obviouslytakes time, but information sharing groups canfacilitate it with policies and processes designed toprotect anonymity. For example, Council membersrepresenting ISACA Singapore and the Global OTISAC say their organizations’ Safe Harbor provisionshave fostered greater openness among theirmembers by granting a degree of anonymity alongwith some liability protection.“Nobody wants to share potentially embarrassingexperiences,” says Hoo Ming Ng, former deputy chiefexecutive for Singapore’s Cyber Security Agency.In addition, the OT-ISAC supports machine-tomachine sharing mechanisms that leverageTraffic Light Protocol (TLP) and anonymoussubmissions. The OT-ISAC has also establisheddifferent classifications for sharing that include:restricted information that can only be shared witha proscribed group; confidential information thatmay only be shared within a specific community;information that can be shared among generalOT-ISAC members, with other groups, and withgovernment partners; and information that can beshared freely with the public.SPONSORED BY

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCEDespite industry groups’ efforts to build trust andmake their participants and the organizationsthey represent feel confident in sharing sensitiveintelligence, several Council members say theirorganizations’ corporate policies, intended toreduce their legal exposure, limit the informationthey are allowed to share. To overcome thisparticular hurdle, they say there is a need toshow that the costs of not sharing intelligenceon cyberattacks outweigh potential legal andreputational risks associated with sharing. Reportson the cost of data breaches from public filings withthe US Securities and Exchange Commission (SEC)may help security leaders make this case. Globalregulators also need to address conflicts betweenlaws that penalize organizations for breaches andother laws intended to encourage sharing.Globally, Council members concur that policyand financial incentives are needed to promotecollaboration across the private sector and withpublic sector entities. Market forces, like contractualterms with vendors and suppliers, along with cyberinsurance coverage models, may also serve tofoster collaboration and intelligence sharing.As intelligence sharing increases, Council memberssay platforms are needed to deconflict differentsources of intelligence and help prioritize actions–e.g., for high risk threats, organizations should focuson investigation, deterrence and disruption, andfor low risk threats, organizations can focus onprevention and awareness.I want to be in a world where companies can be more transparent aboutsecurity incidents and where that kind of transparency doesn’t invalidate orcancel a company. We need to resist the impulse to bayonet the wounded.SAM CURRYCSO, CYBEREASON18SPONSORED BY

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCE4PRINCIPLEUSE INTELLIGENCE TO INSTILL A BIAS FOR ACTIONCouncil members say threat intelligence shoulddrive a wide variety of strategic and tactical securitydecisions short of offensive activities, and theyencourage all security practitioners to incorporateactionable threat intelligence into their day to dayactions and decision-making as much as possible.Robert Oh, the executive vice president, head ofcorporate digital strategy and COO of DoosanDigital Innovation, says having the right processes inplace to synthesize and deploy threat intelligence iscritical. It’s also critical to consult with relevant lawenforcement officials before taking any responseactions that may inadvertently create legal orregulatory risks.Design goals based on intelligence can help securityleaders instill a bias for action among themselves andtheir teams. These goals clarify the threat actorsthat security teams are trying to protect theircompanies from, as well as the level of resourcesand sophistication an organization anticipates anadversary would dedicate to an attack.19SPONSORED BY“Design goals drive a level of accountability forachieving specific security and business resiliencyoutcomes,” says Malcolm Harkins, chief securityand trust officer for Epiphany Systems. “Designgoals help security leaders and their teams identifyeverything they need to put in place from a people,process and technology perspective. Securityleaders can then use penetration testing and otherexercises to determine whether or not they’reachieving those goals.”Threat intelligence isn’t only important to securityteams. Beth-Anne Bygum, senior vice president andchief security and compliance officer at Acxiom,and BT emeritus CSO Steve Benton recommendgetting threat intelligence into the hands of businesspeople, especially those working in governance, riskand compliance (GRC) functions, so they can makerisk-intelligent business decisions and take proactivemeasures every day to reduce their organization’sexposure.

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCEFor example, Bygum recommends that GRC teamsapply threat intelligence to contract negotiationswith vendors. If GRC teams know vulnerabilities incertain vendors’ software are leading to breaches,they know to incorporate “right to audit” clausesinto contracts. “When I have vendors who arenot patching or keeping their code current, I callon that right to audit and to have CISO to CISOconversations between myself and the vendorbecause of the potential supply chain issues the lackof patching could create,” Bygum says.Getting teams to act on intelligence takes aconcerted effort, and sometimes, culture change.While serving as the 36th Commandant of theMarine Corps, General Dunford took creative stepsto build a culture of intelligence sharing. He went sofar as to have posters made in his organization thatposed the following questions: What do I know? Whyis it important? Who else needs to know about it?Have I told them? What needs to be done with thisinformation? Who needs to do it? Did they do it?“These are the kinds of things that are required tomove people beyond the passive state of receivingintelligence to actually do something with it,” he says.BUILDING A CULTURE OF INTELLIGENCE SHARINGKey Questions Security Teams Can Ask Themselves Every DayWhat do I know? Have I told them? Who needs to do it?Why is it important? What needs to bedone with thisinformation? Did they do it? Who else needs toknow about it?20SPONSORED BY

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCE5PRINCIPLELEVERAGE LARGE-SCALE ANALYTICS AND TECHNOLOGY TOTHE GREATEST EXTENT POSSIBLELarge-scale analytics capabilities hold the promiseof enabling security teams to address one of theirbiggest challenges: the fact that they are drowningin data and alerts that do not rise to the level of actualintelligence. The downside is that this infrastructureand these capabilities do not come cheap. What’smore, according to a survey of IT and cybersecurityleaders conducted by CIO Academy Asia, manyorganizations lack the mature data managementcapabilities required to fully leverage artificialintelligence and machine learning at scale for threathunting, early detection and automated response.21SPONSORED BYOn the upside, vendors and services providers areincreasingly building this infrastructure and hostingit on behalf of clients to make it more accessible tomore organizations. The more organizations haveaccess to advanced analytics, the more they cangain an operation-centric view of malicious activityon their systems and networks, and the moreeffectively they can use behavioral indicators toproactively spot and stop suspicious activity in itsearliest stages, before it leads to business impact.

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCE6PRINCIPLEASSUME YOU'RE STILL AT RISKCouncil members have shown how a DefendForward mindset and approach can helpsecurity leaders build robust programs fortheir organizations that drive accountability anddeliver meaningful business and cybersecurityoutcomes. Although Defenders may never be ableto completely deter cyberattacks, especially thosethat are nation-state sponsored, if we collectively do22SPONSORED BYthe equivalent of identifying the “doors and windows”that adversaries are likely to exploit, lock them down,and put pressure on third-party partners to do thesame, we’ll have more than a fighting chance to allbut eliminate opportunistic and financially motivatedattacks and curtail the risk posed by nation-statesponsored operations as well.

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCENORTH AMERICA/EMEA COUNCIL MEMBERS23PHILIPP AMANNHEAD OF STRATEGY EUROPEAN CYBERCRIMECENTER, EUROPOLSTEVE BENTONEMERITUS CSO - FORMERDIRECTOR OF PROTECTBT SERVICES ANDOPERATIONS, BTPAUL BIVIANDIRECTOR OFINFORMATIONSECURITY, KIRKLAND &ELLIS LLPKEVIN BROWNCISO, SAICBETH-ANNE BYGUMSVP - CHIEF SECURITYAND COMPLIANCEOFFICER, ACXIOMROLAND CLOUTIERGLOBAL CSO, TIKTOKJOSEPH DUNFORD19TH CHAIRMANOF THE JOINTCHIEFS OF STAFFRENEE GUTTMANNEMERITUS CISO,TIME WARNER AND THECOCA-COLA COMPANYMALCOLM HARKINSCHIEF SECURITYAND TRUST OFFICER,EPIPHANY SYSTEMSPETER KUNZDIVISIONAL CISO, LEICAGEOSYSTEMSRICARDO LAFOSSECISO, THE KRAFT HEINZCOMPANYJANET LEVESQUECISO, ATHENAHEALTHSPONSORED BYSAM CURRYCSO, CYBEREASON

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCENORTH AMERICA/EMEA COUNCIL MEMBERS24DAVE LEWISGLOBAL ADVISORY CISO,CISCODR. YONESY F. NÚÑEZCISO, JACK HENRY &ASSOCIATESKERISSA VARMAMANAGING EXECUTIVE- CYBERSECURITY,VODACOMERIK WILLECISO, AMERICAN AXLE& MANUFACTURINGSPONSORED BYMIKE OROSZVP INFORMATION/PRODUCT SECURITY,VERTIVTHERESA PAYTONCEO, FORTALICE, ANDFORMER WHITE HOUSECIOCHRISTOPHER PETERSVP AND CSO, ENTERGYNILS PUHLMANNCO-FOUNDER, CLOUDSECURITY ALLIANCEALEX SCHUCHMANCISO,COLGATE-PALMOLIVECOMPANY

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCEASIA-PACIFIC COUNCIL MEMBERS25HOO MING NGFORMER DEPUTY CHIEFEXECUTIVE, CYBERSECURITY AGENCY OFSINGAPORECHARLES NGEVP - INTERNATIONALBUSINESS &CONSULTING, ENSIGNINFOSECURITYKEITH LEONGMANAGING DIRECTOR GLOBAL DELIVERY, NCSCHUAN WEI HOOGROUP CISO, STENGINEERINGEUGENE TEOVP AND DEPUTY CSO,ULTIMATE KRONOSGROUP (UKG)YUEZHONG BAOCISO, LAZADA GROUPBORIS HAJDUKCISO, TOKOPEDIAMICHAEL BECERRACISO, DHL EXPRESSCHRISTOPHER LEKDIRECTOR CYBERSECURITY, NANYANGTECHNOLOGICALUNIVERSITYSHAO FEI HUANGPRINCIPAL SECURITYARCHITECT, AWSSPONSORED BYSTEVEN SIM KOK LEONGPRESIDENT, ISACASINGAPOREJOHN LEEMANAGING DIRECTOR- APAC, GLOBALRESILIENCE FEDERATION& OT-ISACPEI YUEN WONGCTO, IBM SECURITYSENG WEI KENGCISO, DBS BANKPAUL LEKDIRECTOR - IT RISKMANAGEMENT &SECURITY APJ, MSD(MERCK & CO.)LEONARD ONGAPAC CISO, GEHEALTHCAREJOHNNY KHOPRESIDENT,ASSOCIATION OFINFORMATION SECURITYPROFESSIONALS

DEFEND FORWARD A PROACTIVE MODEL FOR CYBER DETERRENCEASIA-PACIFIC COUNCIL MEMBERS26SHIH HSIEN LIMCISO AND CSO, CERTISJASON WONGGLOBAL HEAD OFIT SECURITY &COMPLIANCE, DYSONDATO’ TS. DR. HAJIAMIRUDIN ABDULWAHABCEO, CYBERSECURITYMALAYSIASHANKAR KRISHNANCISO, AXIATA DIGITALSERVICES & BOOSTMALAYSIAANGEL REDOBLEGROUP CISO,PLDT & SMARTCOMMUNICATIONSYARON SLUTZKYCSO, AGODAROBERT OHEVP - HEAD OFCORPORATE DIGITALSTRATEGY & COO OF DDIBU HEADQUARTERS,DOOSANJOHN TAYLORGROUP CIO TECHNOLOGY &SECURITY, MEDHEALTHJASON LAUCISO, CRYPTO.COMDENNY HUSENGLOBAL HEAD OFINCIDENT RESPONSE,CRYPTO.COMSPONSORED BYMEL MIGRIÑOGROUP CISO, MERALCO(MANILA ELECTRICCOMPANY)

The Cyber Defenders Council is an independent group of preeminent cybersecurity leaders from public- and private-sector organizations around the world. The mission of the Council is to adapt an approach to cyber deterrence, known as "Defend Forward," for private-sector enterprises and to provide prescriptive guidance